Fast flux
Fast Flux is a DNS technology used by botnets that can hide the location of web servers. This is handled with a DNS server and load distribution via DNS (round robin DNS). Fast flux networks are usually used in phishing and DoS attacks.
Single flux
The simplest type of fast-flux, also called single-flux, is characterized by multiple individual nodes, which can enter and remove their address in the DNS A record of a single domain themselves. This combines Round Robin DNS with a very short Time to Live (TTL) in order to generate permanently changing end addresses for the individual domains. This list can be hundreds or thousands of entries long.
Double flux
A more demanding type of fast flux, which is also called double flux , is characterized by multiple nodes which can independently enter their address in a part of the DNS-NS record for the DNS zone and then unsubscribe again. This creates an additional layer of redundancy and survivability within the malware network.
Reverse proxy
The botnet operators use reverse proxies for their fast flux networks, most of which come from their own botnet. Only those who have a fast internet connection and who have been online for a particularly long time will be included in a fast flux network.
A reverse proxy is a communication interface that is switched in front of a server and in its place listens on the http port. This has three possible goals:
- Increase in performance: The proxy can cache web content and deliver it back directly.
- Security: The server can hang in the internal network and is therefore invisible from the outside.
- Load distribution: The proxy can distribute its requests over several servers.
Examples of fast flux botnets
| Botnet | Trojans |
|---|---|
| Storm botnet | Tibs, Peacomm, Nuwar, Zhelatin, Peed |
| Rustock | RKRustok, Costrat |
| Pushdo | Pandex, Mutant, Wigon, Pushdo |
| Mega-D | Ozdok |
| Kneber | egot, Zeus |
| Warezov | Stration |